Rajesh Sethumadhavan posted another vulnerability in Google’s Orkut. This one is a tad more obscure because it requires user input (clicking a link) to execute the exploit. Here’s the disclosure:

1)Orkut Invite XSS:

The flaws are due to improper sanitization of inputs passed to ’show’ parameter in GET request
——————————————————————-
http://www.orkut.com/Friends.aspx?show=group1);alert(document.cookie
——————————————————————

I’ve never been a big fan of social networking sites for the (lack of) security aspect. With the recent rash of XSS worms out there, these sites should probably start considering these issues as serious. Since Google doesn’t appear to have the required resources in-house they should really consider hiring outsourced help to fix them. At least they are getting some input from their users, even if they aren’t able to find their own security flaws. Until then it’s probably still a good idea to steer clear of these websites from a consumer perspective.

This entry was posted
on Monday, December 11th, 2006 at 9:09 pm and is filed under XSS, Webappsec.
Responses are currently closed, but you can trackback from your own site.